Blockchain security firm CertiK and zk-Sync decentralized exchange (DEX) Merlin are collaborating to create a plan to compensate users who were affected by a recent exploit that resulted in a loss of almost $2 million for Merlin.
On Thursday, Merlin disclosed that the incident, which was widely believed to be an exploit, was actually a rug pull carried out by several rogue members of its back-end developer team who tampered with the protocol’s code to achieve their objective.
CertiK and Merlin’s Plan
Merlin’s liquidity pool was drained on Wednesday, just hours after CertiK audited the protocol’s code during the public sale of its native token, MAGE, leading to the attack.
CertiK stated that a private key management issue was likely behind the event, and disclosed that it had highlighted a centralization risk in its Monday audit and advised Merlin to switch to decentralized mechanisms to avoid the possibility of a single point of key failure.
After additional investigation, Merlin and CertiK discovered that the hack was an inside job committed by the protocol’s team. The back-end team implemented a call-action function that gave them power over the contracts and all trading pairs in the liquidity pools.
The developers were also able to manipulate Merlin’s front-end contracts and web host, allowing them to execute several on-chain transactions that drained the public sale.
Our unwavering priority is to return all funds to effected parties and participants on the Merlin platform at the earliest opportunity. To that end, we are working alongside @Certik (Team DOXX by both Prospero & Alatar Recovery Plan) to reimburse all effected users.
— Merlin (@TheMerlinDEX) April 26, 2023
A 20% White Hat Bounty
While Merlin and CertiK work on the victim aid fund plan, they have also reported the incident and the rogue technical team’s whereabouts to relevant authorities. The back-end team has been traced to Europe, specifically Serbia, and local authorities have been informed.
The protocol has also enlisted on-chain analysts to monitor the movement of the funds. The stolen assets have been traced to two wallets and were still present at the time of writing.
Meanwhile, CertiK has offered the developers a 20% white hat bounty, urging them to accept it to avoid the possibility of facing consequences from the law.